GnuTLS TLS Multiple Vulnerabilities
Last Update Date:
22 Mar 2012 10:36
Release Date:
22 Mar 2012
5276
Views
RISK: Medium Risk
TYPE: Security software and application - Security Software & Appliance
Multiple vulnerabilities have been identified in GnuTLS, which can be exploited by malicious people to potentially compromise an application using the library.
- A vulnerability in GnuTLS libtasn1 Tiny ASN.1 library is caused due to certain functions (e.g. "asn1_der_decoding()") not properly checking ASN1 length result from the "asn1_get_length_der()" function. This can be exploited to cause the library to use a large length value and corrupt memory via e.g. a specially crafted X.509 client certificate.
- An error within the block cipher decryption logic when handling TLS records can be exploited to corrupt memory via a specially crafted "GenericBlockCipher" structure.
- Some errors in the libtasn1 library can be exploited to corrupt memory.
Impact
- Remote Code Execution
System / Technologies affected
- GnuTLS versions prior to 2.12.18
- GnuTLS versions prior to 3.0.16
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Update to version 2.12.18 or 3.0.16.
Vulnerability Identifier
Source
Related Link
Share with